WP_REST_Users_Controller

Core class used to manage users via the REST API.

Defined (1)

The class is defined in the following location(s).

/wp-includes/rest-api/endpoints/class-wp-rest-users-controller.php  
  1. class WP_REST_Users_Controller extends WP_REST_Controller { 
  2.  
  3. /** 
  4. * Instance of a user meta fields object. 
  5. * @since 4.7.0 
  6. * @access protected 
  7. * @var WP_REST_User_Meta_Fields 
  8. */ 
  9. protected $meta; 
  10.  
  11. /** 
  12. * Constructor. 
  13. * @since 4.7.0 
  14. * @access public 
  15. */ 
  16. public function __construct() { 
  17. $this->namespace = 'wp/v2'; 
  18. $this->rest_base = 'users'; 
  19.  
  20. $this->meta = new WP_REST_User_Meta_Fields(); 
  21.  
  22. /** 
  23. * Registers the routes for the objects of the controller. 
  24. * @since 4.7.0 
  25. * @access public 
  26. * @see register_rest_route() 
  27. */ 
  28. public function register_routes() { 
  29.  
  30. register_rest_route( $this->namespace, '/' . $this->rest_base, array( 
  31. array( 
  32. 'methods' => WP_REST_Server::READABLE,  
  33. 'callback' => array( $this, 'get_items' ),  
  34. 'permission_callback' => array( $this, 'get_items_permissions_check' ),  
  35. 'args' => $this->get_collection_params(),  
  36. ),  
  37. array( 
  38. 'methods' => WP_REST_Server::CREATABLE,  
  39. 'callback' => array( $this, 'create_item' ),  
  40. 'permission_callback' => array( $this, 'create_item_permissions_check' ),  
  41. 'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::CREATABLE ),  
  42. ),  
  43. 'schema' => array( $this, 'get_public_item_schema' ),  
  44. ) ); 
  45.  
  46. register_rest_route( $this->namespace, '/' . $this->rest_base . '/(?P<id>[\d]+)', array( 
  47. 'args' => array( 
  48. 'id' => array( 
  49. 'description' => __( 'Unique identifier for the user.' ),  
  50. 'type' => 'integer',  
  51. ),  
  52. ),  
  53. array( 
  54. 'methods' => WP_REST_Server::READABLE,  
  55. 'callback' => array( $this, 'get_item' ),  
  56. 'permission_callback' => array( $this, 'get_item_permissions_check' ),  
  57. 'args' => array( 
  58. 'context' => $this->get_context_param( array( 'default' => 'view' ) ),  
  59. ),  
  60. ),  
  61. array( 
  62. 'methods' => WP_REST_Server::EDITABLE,  
  63. 'callback' => array( $this, 'update_item' ),  
  64. 'permission_callback' => array( $this, 'update_item_permissions_check' ),  
  65. 'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ),  
  66. ),  
  67. array( 
  68. 'methods' => WP_REST_Server::DELETABLE,  
  69. 'callback' => array( $this, 'delete_item' ),  
  70. 'permission_callback' => array( $this, 'delete_item_permissions_check' ),  
  71. 'args' => array( 
  72. 'force' => array( 
  73. 'type' => 'boolean',  
  74. 'default' => false,  
  75. 'description' => __( 'Required to be true, as users do not support trashing.' ),  
  76. ),  
  77. 'reassign' => array( 
  78. 'type' => 'integer',  
  79. 'description' => __( 'Reassign the deleted user\'s posts and links to this user ID.' ),  
  80. 'required' => true,  
  81. 'sanitize_callback' => array( $this, 'check_reassign' ),  
  82. ),  
  83. ),  
  84. ),  
  85. 'schema' => array( $this, 'get_public_item_schema' ),  
  86. ) ); 
  87.  
  88. register_rest_route( $this->namespace, '/' . $this->rest_base . '/me', array( 
  89. array( 
  90. 'methods' => WP_REST_Server::READABLE,  
  91. 'callback' => array( $this, 'get_current_item' ),  
  92. 'args' => array( 
  93. 'context' => $this->get_context_param( array( 'default' => 'view' ) ),  
  94. ),  
  95. ),  
  96. array( 
  97. 'methods' => WP_REST_Server::EDITABLE,  
  98. 'callback' => array( $this, 'update_current_item' ),  
  99. 'permission_callback' => array( $this, 'update_current_item_permissions_check' ),  
  100. 'args' => $this->get_endpoint_args_for_item_schema( WP_REST_Server::EDITABLE ),  
  101. ),  
  102. array( 
  103. 'methods' => WP_REST_Server::DELETABLE,  
  104. 'callback' => array( $this, 'delete_current_item' ),  
  105. 'permission_callback' => array( $this, 'delete_current_item_permissions_check' ),  
  106. 'args' => array( 
  107. 'force' => array( 
  108. 'type' => 'boolean',  
  109. 'default' => false,  
  110. 'description' => __( 'Required to be true, as users do not support trashing.' ),  
  111. ),  
  112. 'reassign' => array( 
  113. 'type' => 'integer',  
  114. 'description' => __( 'Reassign the deleted user\'s posts and links to this user ID.' ),  
  115. 'required' => true,  
  116. 'sanitize_callback' => array( $this, 'check_reassign' ),  
  117. ),  
  118. ),  
  119. ),  
  120. 'schema' => array( $this, 'get_public_item_schema' ),  
  121. )); 
  122.  
  123. /** 
  124. * Checks for a valid value for the reassign parameter when deleting users. 
  125. * The value can be an integer, 'false', false, or ''. 
  126. * @since 4.7.0 
  127. * @param int|bool $value The value passed to the reassign parameter. 
  128. * @param WP_REST_Request $request Full details about the request. 
  129. * @param string $param The parameter that is being sanitized. 
  130. * @return int|bool|WP_Error 
  131. */ 
  132. public function check_reassign( $value, $request, $param ) { 
  133. if ( is_numeric( $value ) ) { 
  134. return $value; 
  135.  
  136. if ( empty( $value ) || false === $value || 'false' === $value ) { 
  137. return false; 
  138.  
  139. return new WP_Error( 'rest_invalid_param', __( 'Invalid user parameter(s).' ), array( 'status' => 400 ) ); 
  140.  
  141. /** 
  142. * Permissions check for getting all users. 
  143. * @since 4.7.0 
  144. * @access public 
  145. * @param WP_REST_Request $request Full details about the request. 
  146. * @return true|WP_Error True if the request has read access, otherwise WP_Error object. 
  147. */ 
  148. public function get_items_permissions_check( $request ) { 
  149. // Check if roles is specified in GET request and if user can list users. 
  150. if ( ! empty( $request['roles'] ) && ! current_user_can( 'list_users' ) ) { 
  151. return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to filter users by role.' ), array( 'status' => rest_authorization_required_code() ) ); 
  152.  
  153. if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) { 
  154. return new WP_Error( 'rest_forbidden_context', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) ); 
  155.  
  156. if ( in_array( $request['orderby'], array( 'email', 'registered_date' ), true ) && ! current_user_can( 'list_users' ) ) { 
  157. return new WP_Error( 'rest_forbidden_orderby', __( 'Sorry, you are not allowed to order users by this parameter.' ), array( 'status' => rest_authorization_required_code() ) ); 
  158.  
  159. return true; 
  160.  
  161. /** 
  162. * Retrieves all users. 
  163. * @since 4.7.0 
  164. * @access public 
  165. * @param WP_REST_Request $request Full details about the request. 
  166. * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. 
  167. */ 
  168. public function get_items( $request ) { 
  169.  
  170. // Retrieve the list of registered collection query parameters. 
  171. $registered = $this->get_collection_params(); 
  172.  
  173. /** 
  174. * This array defines mappings between public API query parameters whose 
  175. * values are accepted as-passed, and their internal WP_Query parameter 
  176. * name equivalents (some are the same). Only values which are also 
  177. * present in $registered will be set. 
  178. */ 
  179. $parameter_mappings = array( 
  180. 'exclude' => 'exclude',  
  181. 'include' => 'include',  
  182. 'order' => 'order',  
  183. 'per_page' => 'number',  
  184. 'search' => 'search',  
  185. 'roles' => 'role__in',  
  186. 'slug' => 'nicename__in',  
  187. ); 
  188.  
  189. $prepared_args = array(); 
  190.  
  191. /** 
  192. * For each known parameter which is both registered and present in the request,  
  193. * set the parameter's value on the query $prepared_args. 
  194. */ 
  195. foreach ( $parameter_mappings as $api_param => $wp_param ) { 
  196. if ( isset( $registered[ $api_param ], $request[ $api_param ] ) ) { 
  197. $prepared_args[ $wp_param ] = $request[ $api_param ]; 
  198.  
  199. if ( isset( $registered['offset'] ) && ! empty( $request['offset'] ) ) { 
  200. $prepared_args['offset'] = $request['offset']; 
  201. } else { 
  202. $prepared_args['offset'] = ( $request['page'] - 1 ) * $prepared_args['number']; 
  203.  
  204. if ( isset( $registered['orderby'] ) ) { 
  205. $orderby_possibles = array( 
  206. 'id' => 'ID',  
  207. 'include' => 'include',  
  208. 'name' => 'display_name',  
  209. 'registered_date' => 'registered',  
  210. 'slug' => 'user_nicename',  
  211. 'email' => 'user_email',  
  212. 'url' => 'user_url',  
  213. ); 
  214. $prepared_args['orderby'] = $orderby_possibles[ $request['orderby'] ]; 
  215.  
  216. if ( ! current_user_can( 'list_users' ) ) { 
  217. $prepared_args['has_published_posts'] = get_post_types( array( 'show_in_rest' => true ), 'names' ); 
  218.  
  219. if ( ! empty( $prepared_args['search'] ) ) { 
  220. $prepared_args['search'] = '*' . $prepared_args['search'] . '*'; 
  221. /** 
  222. * Filters WP_User_Query arguments when querying users via the REST API. 
  223. * @link https://developer.wordpress.org/reference/classes/wp_user_query/ 
  224. * @since 4.7.0 
  225. * @param array $prepared_args Array of arguments for WP_User_Query. 
  226. * @param WP_REST_Request $request The current request. 
  227. */ 
  228. $prepared_args = apply_filters( 'rest_user_query', $prepared_args, $request ); 
  229.  
  230. $query = new WP_User_Query( $prepared_args ); 
  231.  
  232. $users = array(); 
  233.  
  234. foreach ( $query->results as $user ) { 
  235. $data = $this->prepare_item_for_response( $user, $request ); 
  236. $users[] = $this->prepare_response_for_collection( $data ); 
  237.  
  238. $response = rest_ensure_response( $users ); 
  239.  
  240. // Store pagination values for headers then unset for count query. 
  241. $per_page = (int) $prepared_args['number']; 
  242. $page = ceil( ( ( (int) $prepared_args['offset'] ) / $per_page ) + 1 ); 
  243.  
  244. $prepared_args['fields'] = 'ID'; 
  245.  
  246. $total_users = $query->get_total(); 
  247.  
  248. if ( $total_users < 1 ) { 
  249. // Out-of-bounds, run the query again without LIMIT for total count. 
  250. unset( $prepared_args['number'], $prepared_args['offset'] ); 
  251. $count_query = new WP_User_Query( $prepared_args ); 
  252. $total_users = $count_query->get_total(); 
  253.  
  254. $response->header( 'X-WP-Total', (int) $total_users ); 
  255.  
  256. $max_pages = ceil( $total_users / $per_page ); 
  257.  
  258. $response->header( 'X-WP-TotalPages', (int) $max_pages ); 
  259.  
  260. $base = add_query_arg( $request->get_query_params(), rest_url( sprintf( '%s/%s', $this->namespace, $this->rest_base ) ) ); 
  261. if ( $page > 1 ) { 
  262. $prev_page = $page - 1; 
  263.  
  264. if ( $prev_page > $max_pages ) { 
  265. $prev_page = $max_pages; 
  266.  
  267. $prev_link = add_query_arg( 'page', $prev_page, $base ); 
  268. $response->link_header( 'prev', $prev_link ); 
  269. if ( $max_pages > $page ) { 
  270. $next_page = $page + 1; 
  271. $next_link = add_query_arg( 'page', $next_page, $base ); 
  272.  
  273. $response->link_header( 'next', $next_link ); 
  274.  
  275. return $response; 
  276.  
  277. /** 
  278. * Get the user, if the ID is valid. 
  279. * @since 4.7.2 
  280. * @param int $id Supplied ID. 
  281. * @return WP_User|WP_Error True if ID is valid, WP_Error otherwise. 
  282. */ 
  283. protected function get_user( $id ) { 
  284. $error = new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) ); 
  285. if ( (int) $id <= 0 ) { 
  286. return $error; 
  287.  
  288. $user = get_userdata( (int) $id ); 
  289. if ( empty( $user ) || ! $user->exists() ) { 
  290. return $error; 
  291.  
  292. if ( is_multisite() && ! is_user_member_of_blog( $user->ID ) ) { 
  293. return $error; 
  294.  
  295. return $user; 
  296.  
  297. /** 
  298. * Checks if a given request has access to read a user. 
  299. * @since 4.7.0 
  300. * @access public 
  301. * @param WP_REST_Request $request Full details about the request. 
  302. * @return true|WP_Error True if the request has read access for the item, otherwise WP_Error object. 
  303. */ 
  304. public function get_item_permissions_check( $request ) { 
  305. $user = $this->get_user( $request['id'] ); 
  306. if ( is_wp_error( $user ) ) { 
  307. return $user; 
  308.  
  309. $types = get_post_types( array( 'show_in_rest' => true ), 'names' ); 
  310.  
  311. if ( get_current_user_id() === $user->ID ) { 
  312. return true; 
  313.  
  314. if ( 'edit' === $request['context'] && ! current_user_can( 'list_users' ) ) { 
  315. return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) ); 
  316. } elseif ( ! count_user_posts( $user->ID, $types ) && ! current_user_can( 'edit_user', $user->ID ) && ! current_user_can( 'list_users' ) ) { 
  317. return new WP_Error( 'rest_user_cannot_view', __( 'Sorry, you are not allowed to list users.' ), array( 'status' => rest_authorization_required_code() ) ); 
  318.  
  319. return true; 
  320.  
  321. /** 
  322. * Retrieves a single user. 
  323. * @since 4.7.0 
  324. * @access public 
  325. * @param WP_REST_Request $request Full details about the request. 
  326. * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. 
  327. */ 
  328. public function get_item( $request ) { 
  329. $user = $this->get_user( $request['id'] ); 
  330. if ( is_wp_error( $user ) ) { 
  331. return $user; 
  332.  
  333. $user = $this->prepare_item_for_response( $user, $request ); 
  334. $response = rest_ensure_response( $user ); 
  335.  
  336. return $response; 
  337.  
  338. /** 
  339. * Retrieves the current user. 
  340. * @since 4.7.0 
  341. * @access public 
  342. * @param WP_REST_Request $request Full details about the request. 
  343. * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. 
  344. */ 
  345. public function get_current_item( $request ) { 
  346. $current_user_id = get_current_user_id(); 
  347.  
  348. if ( empty( $current_user_id ) ) { 
  349. return new WP_Error( 'rest_not_logged_in', __( 'You are not currently logged in.' ), array( 'status' => 401 ) ); 
  350.  
  351. $user = wp_get_current_user(); 
  352. $response = $this->prepare_item_for_response( $user, $request ); 
  353. $response = rest_ensure_response( $response ); 
  354.  
  355.  
  356. return $response; 
  357.  
  358. /** 
  359. * Checks if a given request has access create users. 
  360. * @since 4.7.0 
  361. * @access public 
  362. * @param WP_REST_Request $request Full details about the request. 
  363. * @return true|WP_Error True if the request has access to create items, WP_Error object otherwise. 
  364. */ 
  365. public function create_item_permissions_check( $request ) { 
  366.  
  367. if ( ! current_user_can( 'create_users' ) ) { 
  368. return new WP_Error( 'rest_cannot_create_user', __( 'Sorry, you are not allowed to create new users.' ), array( 'status' => rest_authorization_required_code() ) ); 
  369.  
  370. return true; 
  371.  
  372. /** 
  373. * Creates a single user. 
  374. * @since 4.7.0 
  375. * @access public 
  376. * @param WP_REST_Request $request Full details about the request. 
  377. * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. 
  378. */ 
  379. public function create_item( $request ) { 
  380. if ( ! empty( $request['id'] ) ) { 
  381. return new WP_Error( 'rest_user_exists', __( 'Cannot create existing user.' ), array( 'status' => 400 ) ); 
  382.  
  383. $schema = $this->get_item_schema(); 
  384.  
  385. if ( ! empty( $request['roles'] ) && ! empty( $schema['properties']['roles'] ) ) { 
  386. $check_permission = $this->check_role_update( $request['id'], $request['roles'] ); 
  387.  
  388. if ( is_wp_error( $check_permission ) ) { 
  389. return $check_permission; 
  390.  
  391. $user = $this->prepare_item_for_database( $request ); 
  392.  
  393. if ( is_multisite() ) { 
  394. $ret = wpmu_validate_user_signup( $user->user_login, $user->user_email ); 
  395.  
  396. if ( is_wp_error( $ret['errors'] ) && ! empty( $ret['errors']->errors ) ) { 
  397. $error = new WP_Error( 'rest_invalid_param', __( 'Invalid user parameter(s).' ), array( 'status' => 400 ) ); 
  398. foreach ( $ret['errors']->errors as $code => $messages ) { 
  399. foreach ( $messages as $message ) { 
  400. $error->add( $code, $message ); 
  401. if ( $error_data = $error->get_error_data( $code ) ) { 
  402. $error->add_data( $error_data, $code ); 
  403. return $error; 
  404.  
  405. if ( is_multisite() ) { 
  406. $user_id = wpmu_create_user( $user->user_login, $user->user_pass, $user->user_email ); 
  407.  
  408. if ( ! $user_id ) { 
  409. return new WP_Error( 'rest_user_create', __( 'Error creating new user.' ), array( 'status' => 500 ) ); 
  410.  
  411. $user->ID = $user_id; 
  412. $user_id = wp_update_user( wp_slash( (array) $user ) ); 
  413.  
  414. if ( is_wp_error( $user_id ) ) { 
  415. return $user_id; 
  416.  
  417. add_user_to_blog( get_site()->id, $user_id, '' ); 
  418. } else { 
  419. $user_id = wp_insert_user( wp_slash( (array) $user ) ); 
  420.  
  421. if ( is_wp_error( $user_id ) ) { 
  422. return $user_id; 
  423.  
  424. $user = get_user_by( 'id', $user_id ); 
  425.  
  426. /** 
  427. * Fires immediately after a user is created or updated via the REST API. 
  428. * @since 4.7.0 
  429. * @param WP_User $user Inserted or updated user object. 
  430. * @param WP_REST_Request $request Request object. 
  431. * @param bool $creating True when creating a user, false when updating. 
  432. */ 
  433. do_action( 'rest_insert_user', $user, $request, true ); 
  434.  
  435. if ( ! empty( $request['roles'] ) && ! empty( $schema['properties']['roles'] ) ) { 
  436. array_map( array( $user, 'add_role' ), $request['roles'] ); 
  437.  
  438. if ( ! empty( $schema['properties']['meta'] ) && isset( $request['meta'] ) ) { 
  439. $meta_update = $this->meta->update_value( $request['meta'], $user_id ); 
  440.  
  441. if ( is_wp_error( $meta_update ) ) { 
  442. return $meta_update; 
  443.  
  444. $user = get_user_by( 'id', $user_id ); 
  445. $fields_update = $this->update_additional_fields_for_object( $user, $request ); 
  446.  
  447. if ( is_wp_error( $fields_update ) ) { 
  448. return $fields_update; 
  449.  
  450. $request->set_param( 'context', 'edit' ); 
  451.  
  452. $response = $this->prepare_item_for_response( $user, $request ); 
  453. $response = rest_ensure_response( $response ); 
  454.  
  455. $response->set_status( 201 ); 
  456. $response->header( 'Location', rest_url( sprintf( '%s/%s/%d', $this->namespace, $this->rest_base, $user_id ) ) ); 
  457.  
  458. return $response; 
  459.  
  460. /** 
  461. * Checks if a given request has access to update a user. 
  462. * @since 4.7.0 
  463. * @access public 
  464. * @param WP_REST_Request $request Full details about the request. 
  465. * @return true|WP_Error True if the request has access to update the item, WP_Error object otherwise. 
  466. */ 
  467. public function update_item_permissions_check( $request ) { 
  468. $user = $this->get_user( $request['id'] ); 
  469. if ( is_wp_error( $user ) ) { 
  470. return $user; 
  471.  
  472. if ( ! current_user_can( 'edit_user', $user->ID ) ) { 
  473. return new WP_Error( 'rest_cannot_edit', __( 'Sorry, you are not allowed to edit this user.' ), array( 'status' => rest_authorization_required_code() ) ); 
  474.  
  475. if ( ! empty( $request['roles'] ) && ! current_user_can( 'edit_users' ) ) { 
  476. return new WP_Error( 'rest_cannot_edit_roles', __( 'Sorry, you are not allowed to edit roles of this user.' ), array( 'status' => rest_authorization_required_code() ) ); 
  477.  
  478. return true; 
  479.  
  480. /** 
  481. * Updates a single user. 
  482. * @since 4.7.0 
  483. * @access public 
  484. * @param WP_REST_Request $request Full details about the request. 
  485. * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. 
  486. */ 
  487. public function update_item( $request ) { 
  488. $user = $this->get_user( $request['id'] ); 
  489. if ( is_wp_error( $user ) ) { 
  490. return $user; 
  491.  
  492. $id = $user->ID; 
  493.  
  494. if ( ! $user ) { 
  495. return new WP_Error( 'rest_user_invalid_id', __( 'Invalid user ID.' ), array( 'status' => 404 ) ); 
  496.  
  497. if ( email_exists( $request['email'] ) && $request['email'] !== $user->user_email ) { 
  498. return new WP_Error( 'rest_user_invalid_email', __( 'Invalid email address.' ), array( 'status' => 400 ) ); 
  499.  
  500. if ( ! empty( $request['username'] ) && $request['username'] !== $user->user_login ) { 
  501. return new WP_Error( 'rest_user_invalid_argument', __( "Username isn't editable." ), array( 'status' => 400 ) ); 
  502.  
  503. if ( ! empty( $request['slug'] ) && $request['slug'] !== $user->user_nicename && get_user_by( 'slug', $request['slug'] ) ) { 
  504. return new WP_Error( 'rest_user_invalid_slug', __( 'Invalid slug.' ), array( 'status' => 400 ) ); 
  505.  
  506. if ( ! empty( $request['roles'] ) ) { 
  507. $check_permission = $this->check_role_update( $id, $request['roles'] ); 
  508.  
  509. if ( is_wp_error( $check_permission ) ) { 
  510. return $check_permission; 
  511.  
  512. $user = $this->prepare_item_for_database( $request ); 
  513.  
  514. // Ensure we're operating on the same user we already checked. 
  515. $user->ID = $id; 
  516.  
  517. $user_id = wp_update_user( wp_slash( (array) $user ) ); 
  518.  
  519. if ( is_wp_error( $user_id ) ) { 
  520. return $user_id; 
  521.  
  522. $user = get_user_by( 'id', $user_id ); 
  523.  
  524. /** This action is documented in lib/endpoints/class-wp-rest-users-controller.php */ 
  525. do_action( 'rest_insert_user', $user, $request, false ); 
  526.  
  527. if ( ! empty( $request['roles'] ) ) { 
  528. array_map( array( $user, 'add_role' ), $request['roles'] ); 
  529.  
  530. $schema = $this->get_item_schema(); 
  531.  
  532. if ( ! empty( $schema['properties']['meta'] ) && isset( $request['meta'] ) ) { 
  533. $meta_update = $this->meta->update_value( $request['meta'], $id ); 
  534.  
  535. if ( is_wp_error( $meta_update ) ) { 
  536. return $meta_update; 
  537.  
  538. $user = get_user_by( 'id', $user_id ); 
  539. $fields_update = $this->update_additional_fields_for_object( $user, $request ); 
  540.  
  541. if ( is_wp_error( $fields_update ) ) { 
  542. return $fields_update; 
  543.  
  544. $request->set_param( 'context', 'edit' ); 
  545.  
  546. $response = $this->prepare_item_for_response( $user, $request ); 
  547. $response = rest_ensure_response( $response ); 
  548.  
  549. return $response; 
  550.  
  551. /** 
  552. * Checks if a given request has access to update the current user. 
  553. * @since 4.7.0 
  554. * @access public 
  555. * @param WP_REST_Request $request Full details about the request. 
  556. * @return true|WP_Error True if the request has access to update the item, WP_Error object otherwise. 
  557. */ 
  558. public function update_current_item_permissions_check( $request ) { 
  559. $request['id'] = get_current_user_id(); 
  560.  
  561. return $this->update_item_permissions_check( $request ); 
  562.  
  563. /** 
  564. * Updates the current user. 
  565. * @since 4.7.0 
  566. * @access public 
  567. * @param WP_REST_Request $request Full details about the request. 
  568. * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. 
  569. */ 
  570. function update_current_item( $request ) { 
  571. $request['id'] = get_current_user_id(); 
  572.  
  573. return $this->update_item( $request ); 
  574.  
  575. /** 
  576. * Checks if a given request has access delete a user. 
  577. * @since 4.7.0 
  578. * @access public 
  579. * @param WP_REST_Request $request Full details about the request. 
  580. * @return true|WP_Error True if the request has access to delete the item, WP_Error object otherwise. 
  581. */ 
  582. public function delete_item_permissions_check( $request ) { 
  583. $user = $this->get_user( $request['id'] ); 
  584. if ( is_wp_error( $user ) ) { 
  585. return $user; 
  586.  
  587. if ( ! current_user_can( 'delete_user', $user->ID ) ) { 
  588. return new WP_Error( 'rest_user_cannot_delete', __( 'Sorry, you are not allowed to delete this user.' ), array( 'status' => rest_authorization_required_code() ) ); 
  589.  
  590. return true; 
  591.  
  592. /** 
  593. * Deletes a single user. 
  594. * @since 4.7.0 
  595. * @access public 
  596. * @param WP_REST_Request $request Full details about the request. 
  597. * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. 
  598. */ 
  599. public function delete_item( $request ) { 
  600. // We don't support delete requests in multisite. 
  601. if ( is_multisite() ) { 
  602. return new WP_Error( 'rest_cannot_delete', __( 'The user cannot be deleted.' ), array( 'status' => 501 ) ); 
  603. $user = $this->get_user( $request['id'] ); 
  604. if ( is_wp_error( $user ) ) { 
  605. return $user; 
  606.  
  607. $id = $user->ID; 
  608. $reassign = false === $request['reassign'] ? null : absint( $request['reassign'] ); 
  609. $force = isset( $request['force'] ) ? (bool) $request['force'] : false; 
  610.  
  611. // We don't support trashing for users. 
  612. if ( ! $force ) { 
  613. return new WP_Error( 'rest_trash_not_supported', __( 'Users do not support trashing. Set force=true to delete.' ), array( 'status' => 501 ) ); 
  614.  
  615. if ( ! empty( $reassign ) ) { 
  616. if ( $reassign === $id || ! get_userdata( $reassign ) ) { 
  617. return new WP_Error( 'rest_user_invalid_reassign', __( 'Invalid user ID for reassignment.' ), array( 'status' => 400 ) ); 
  618.  
  619. $request->set_param( 'context', 'edit' ); 
  620.  
  621. $previous = $this->prepare_item_for_response( $user, $request ); 
  622.  
  623. /** Include admin user functions to get access to wp_delete_user() */ 
  624. require_once ABSPATH . 'wp-admin/includes/user.php'; 
  625.  
  626. $result = wp_delete_user( $id, $reassign ); 
  627.  
  628. if ( ! $result ) { 
  629. return new WP_Error( 'rest_cannot_delete', __( 'The user cannot be deleted.' ), array( 'status' => 500 ) ); 
  630.  
  631. $response = new WP_REST_Response(); 
  632. $response->set_data( array( 'deleted' => true, 'previous' => $previous->get_data() ) ); 
  633.  
  634. /** 
  635. * Fires immediately after a user is deleted via the REST API. 
  636. * @since 4.7.0 
  637. * @param WP_User $user The user data. 
  638. * @param WP_REST_Response $response The response returned from the API. 
  639. * @param WP_REST_Request $request The request sent to the API. 
  640. */ 
  641. do_action( 'rest_delete_user', $user, $response, $request ); 
  642.  
  643. return $response; 
  644.  
  645. /** 
  646. * Checks if a given request has access to delete the current user. 
  647. * @since 4.7.0 
  648. * @access public 
  649. * @param WP_REST_Request $request Full details about the request. 
  650. * @return true|WP_Error True if the request has access to delete the item, WP_Error object otherwise. 
  651. */ 
  652. public function delete_current_item_permissions_check( $request ) { 
  653. $request['id'] = get_current_user_id(); 
  654.  
  655. return $this->delete_item_permissions_check( $request ); 
  656.  
  657. /** 
  658. * Deletes the current user. 
  659. * @since 4.7.0 
  660. * @access public 
  661. * @param WP_REST_Request $request Full details about the request. 
  662. * @return WP_REST_Response|WP_Error Response object on success, or WP_Error object on failure. 
  663. */ 
  664. function delete_current_item( $request ) { 
  665. $request['id'] = get_current_user_id(); 
  666.  
  667. return $this->delete_item( $request ); 
  668.  
  669. /** 
  670. * Prepares a single user output for response. 
  671. * @since 4.7.0 
  672. * @access public 
  673. * @param WP_User $user User object. 
  674. * @param WP_REST_Request $request Request object. 
  675. * @return WP_REST_Response Response object. 
  676. */ 
  677. public function prepare_item_for_response( $user, $request ) { 
  678.  
  679. $data = array(); 
  680. $schema = $this->get_item_schema(); 
  681.  
  682. if ( ! empty( $schema['properties']['id'] ) ) { 
  683. $data['id'] = $user->ID; 
  684.  
  685. if ( ! empty( $schema['properties']['username'] ) ) { 
  686. $data['username'] = $user->user_login; 
  687.  
  688. if ( ! empty( $schema['properties']['name'] ) ) { 
  689. $data['name'] = $user->display_name; 
  690.  
  691. if ( ! empty( $schema['properties']['first_name'] ) ) { 
  692. $data['first_name'] = $user->first_name; 
  693.  
  694. if ( ! empty( $schema['properties']['last_name'] ) ) { 
  695. $data['last_name'] = $user->last_name; 
  696.  
  697. if ( ! empty( $schema['properties']['email'] ) ) { 
  698. $data['email'] = $user->user_email; 
  699.  
  700. if ( ! empty( $schema['properties']['url'] ) ) { 
  701. $data['url'] = $user->user_url; 
  702.  
  703. if ( ! empty( $schema['properties']['description'] ) ) { 
  704. $data['description'] = $user->description; 
  705.  
  706. if ( ! empty( $schema['properties']['link'] ) ) { 
  707. $data['link'] = get_author_posts_url( $user->ID, $user->user_nicename ); 
  708.  
  709. if ( ! empty( $schema['properties']['locale'] ) ) { 
  710. $data['locale'] = get_user_locale( $user ); 
  711.  
  712. if ( ! empty( $schema['properties']['nickname'] ) ) { 
  713. $data['nickname'] = $user->nickname; 
  714.  
  715. if ( ! empty( $schema['properties']['slug'] ) ) { 
  716. $data['slug'] = $user->user_nicename; 
  717.  
  718. if ( ! empty( $schema['properties']['roles'] ) ) { 
  719. // Defensively call array_values() to ensure an array is returned. 
  720. $data['roles'] = array_values( $user->roles ); 
  721.  
  722. if ( ! empty( $schema['properties']['registered_date'] ) ) { 
  723. $data['registered_date'] = date( 'c', strtotime( $user->user_registered ) ); 
  724.  
  725. if ( ! empty( $schema['properties']['capabilities'] ) ) { 
  726. $data['capabilities'] = (object) $user->allcaps; 
  727.  
  728. if ( ! empty( $schema['properties']['extra_capabilities'] ) ) { 
  729. $data['extra_capabilities'] = (object) $user->caps; 
  730.  
  731. if ( ! empty( $schema['properties']['avatar_urls'] ) ) { 
  732. $data['avatar_urls'] = rest_get_avatar_urls( $user->user_email ); 
  733.  
  734. if ( ! empty( $schema['properties']['meta'] ) ) { 
  735. $data['meta'] = $this->meta->get_value( $user->ID, $request ); 
  736.  
  737. $context = ! empty( $request['context'] ) ? $request['context'] : 'embed'; 
  738.  
  739. $data = $this->add_additional_fields_to_object( $data, $request ); 
  740. $data = $this->filter_response_by_context( $data, $context ); 
  741.  
  742. // Wrap the data in a response object. 
  743. $response = rest_ensure_response( $data ); 
  744.  
  745. $response->add_links( $this->prepare_links( $user ) ); 
  746.  
  747. /** 
  748. * Filters user data returned from the REST API. 
  749. * @since 4.7.0 
  750. * @param WP_REST_Response $response The response object. 
  751. * @param object $user User object used to create response. 
  752. * @param WP_REST_Request $request Request object. 
  753. */ 
  754. return apply_filters( 'rest_prepare_user', $response, $user, $request ); 
  755.  
  756. /** 
  757. * Prepares links for the user request. 
  758. * @since 4.7.0 
  759. * @access protected 
  760. * @param WP_Post $user User object. 
  761. * @return array Links for the given user. 
  762. */ 
  763. protected function prepare_links( $user ) { 
  764. $links = array( 
  765. 'self' => array( 
  766. 'href' => rest_url( sprintf( '%s/%s/%d', $this->namespace, $this->rest_base, $user->ID ) ),  
  767. ),  
  768. 'collection' => array( 
  769. 'href' => rest_url( sprintf( '%s/%s', $this->namespace, $this->rest_base ) ),  
  770. ),  
  771. ); 
  772.  
  773. return $links; 
  774.  
  775. /** 
  776. * Prepares a single user for creation or update. 
  777. * @since 4.7.0 
  778. * @access protected 
  779. * @param WP_REST_Request $request Request object. 
  780. * @return object $prepared_user User object. 
  781. */ 
  782. protected function prepare_item_for_database( $request ) { 
  783. $prepared_user = new stdClass; 
  784.  
  785. $schema = $this->get_item_schema(); 
  786.  
  787. // required arguments. 
  788. if ( isset( $request['email'] ) && ! empty( $schema['properties']['email'] ) ) { 
  789. $prepared_user->user_email = $request['email']; 
  790.  
  791. if ( isset( $request['username'] ) && ! empty( $schema['properties']['username'] ) ) { 
  792. $prepared_user->user_login = $request['username']; 
  793.  
  794. if ( isset( $request['password'] ) && ! empty( $schema['properties']['password'] ) ) { 
  795. $prepared_user->user_pass = $request['password']; 
  796.  
  797. // optional arguments. 
  798. if ( isset( $request['id'] ) ) { 
  799. $prepared_user->ID = absint( $request['id'] ); 
  800.  
  801. if ( isset( $request['name'] ) && ! empty( $schema['properties']['name'] ) ) { 
  802. $prepared_user->display_name = $request['name']; 
  803.  
  804. if ( isset( $request['first_name'] ) && ! empty( $schema['properties']['first_name'] ) ) { 
  805. $prepared_user->first_name = $request['first_name']; 
  806.  
  807. if ( isset( $request['last_name'] ) && ! empty( $schema['properties']['last_name'] ) ) { 
  808. $prepared_user->last_name = $request['last_name']; 
  809.  
  810. if ( isset( $request['nickname'] ) && ! empty( $schema['properties']['nickname'] ) ) { 
  811. $prepared_user->nickname = $request['nickname']; 
  812.  
  813. if ( isset( $request['slug'] ) && ! empty( $schema['properties']['slug'] ) ) { 
  814. $prepared_user->user_nicename = $request['slug']; 
  815.  
  816. if ( isset( $request['description'] ) && ! empty( $schema['properties']['description'] ) ) { 
  817. $prepared_user->description = $request['description']; 
  818.  
  819. if ( isset( $request['url'] ) && ! empty( $schema['properties']['url'] ) ) { 
  820. $prepared_user->user_url = $request['url']; 
  821.  
  822. if ( isset( $request['locale'] ) && ! empty( $schema['properties']['locale'] ) ) { 
  823. $prepared_user->locale = $request['locale']; 
  824.  
  825. // setting roles will be handled outside of this function. 
  826. if ( isset( $request['roles'] ) ) { 
  827. $prepared_user->role = false; 
  828.  
  829. /** 
  830. * Filters user data before insertion via the REST API. 
  831. * @since 4.7.0 
  832. * @param object $prepared_user User object. 
  833. * @param WP_REST_Request $request Request object. 
  834. */ 
  835. return apply_filters( 'rest_pre_insert_user', $prepared_user, $request ); 
  836.  
  837. /** 
  838. * Determines if the current user is allowed to make the desired roles change. 
  839. * @since 4.7.0 
  840. * @access protected 
  841. * @param integer $user_id User ID. 
  842. * @param array $roles New user roles. 
  843. * @return true|WP_Error True if the current user is allowed to make the role change,  
  844. * otherwise a WP_Error object. 
  845. */ 
  846. protected function check_role_update( $user_id, $roles ) { 
  847. global $wp_roles; 
  848.  
  849. foreach ( $roles as $role ) { 
  850.  
  851. if ( ! isset( $wp_roles->role_objects[ $role ] ) ) { 
  852. /** translators: %s: role key */ 
  853. return new WP_Error( 'rest_user_invalid_role', sprintf( __( 'The role %s does not exist.' ), $role ), array( 'status' => 400 ) ); 
  854.  
  855. $potential_role = $wp_roles->role_objects[ $role ]; 
  856.  
  857. /** 
  858. * Don't let anyone with 'edit_users' (admins) edit their own role to something without it. 
  859. * Multisite super admins can freely edit their blog roles -- they possess all caps. 
  860. */ 
  861. if ( ! ( is_multisite() 
  862. && current_user_can( 'manage_sites' ) ) 
  863. && get_current_user_id() === $user_id 
  864. && ! $potential_role->has_cap( 'edit_users' ) 
  865. ) { 
  866. return new WP_Error( 'rest_user_invalid_role', __( 'Sorry, you are not allowed to give users that role.' ), array( 'status' => rest_authorization_required_code() ) ); 
  867.  
  868. /** Include admin functions to get access to get_editable_roles() */ 
  869. require_once ABSPATH . 'wp-admin/includes/admin.php'; 
  870.  
  871. // The new role must be editable by the logged-in user. 
  872. $editable_roles = get_editable_roles(); 
  873.  
  874. if ( empty( $editable_roles[ $role ] ) ) { 
  875. return new WP_Error( 'rest_user_invalid_role', __( 'Sorry, you are not allowed to give users that role.' ), array( 'status' => 403 ) ); 
  876.  
  877. return true; 
  878.  
  879. /** 
  880. * Check a username for the REST API. 
  881. * Performs a couple of checks like edit_user() in wp-admin/includes/user.php. 
  882. * @since 4.7.0 
  883. * @param mixed $value The username submitted in the request. 
  884. * @param WP_REST_Request $request Full details about the request. 
  885. * @param string $param The parameter name. 
  886. * @return WP_Error|string The sanitized username, if valid, otherwise an error. 
  887. */ 
  888. public function check_username( $value, $request, $param ) { 
  889. $username = (string) $value; 
  890.  
  891. if ( ! validate_username( $username ) ) { 
  892. return new WP_Error( 'rest_user_invalid_username', __( 'Username contains invalid characters.' ), array( 'status' => 400 ) ); 
  893.  
  894. /** This filter is documented in wp-includes/user.php */ 
  895. $illegal_logins = (array) apply_filters( 'illegal_user_logins', array() ); 
  896.  
  897. if ( in_array( strtolower( $username ), array_map( 'strtolower', $illegal_logins ) ) ) { 
  898. return new WP_Error( 'rest_user_invalid_username', __( 'Sorry, that username is not allowed.' ), array( 'status' => 400 ) ); 
  899.  
  900. return $username; 
  901.  
  902. /** 
  903. * Check a user password for the REST API. 
  904. * Performs a couple of checks like edit_user() in wp-admin/includes/user.php. 
  905. * @since 4.7.0 
  906. * @param mixed $value The password submitted in the request. 
  907. * @param WP_REST_Request $request Full details about the request. 
  908. * @param string $param The parameter name. 
  909. * @return WP_Error|string The sanitized password, if valid, otherwise an error. 
  910. */ 
  911. public function check_user_password( $value, $request, $param ) { 
  912. $password = (string) $value; 
  913.  
  914. if ( empty( $password ) ) { 
  915. return new WP_Error( 'rest_user_invalid_password', __( 'Passwords cannot be empty.' ), array( 'status' => 400 ) ); 
  916.  
  917. if ( false !== strpos( $password, "\\" ) ) { 
  918. return new WP_Error( 'rest_user_invalid_password', __( 'Passwords cannot contain the "\\" character.' ), array( 'status' => 400 ) ); 
  919.  
  920. return $password; 
  921.  
  922. /** 
  923. * Retrieves the user's schema, conforming to JSON Schema. 
  924. * @since 4.7.0 
  925. * @access public 
  926. * @return array Item schema data. 
  927. */ 
  928. public function get_item_schema() { 
  929. $schema = array( 
  930. '$schema' => 'http://json-schema.org/schema#',  
  931. 'title' => 'user',  
  932. 'type' => 'object',  
  933. 'properties' => array( 
  934. 'id' => array( 
  935. 'description' => __( 'Unique identifier for the user.' ),  
  936. 'type' => 'integer',  
  937. 'context' => array( 'embed', 'view', 'edit' ),  
  938. 'readonly' => true,  
  939. ),  
  940. 'username' => array( 
  941. 'description' => __( 'Login name for the user.' ),  
  942. 'type' => 'string',  
  943. 'context' => array( 'edit' ),  
  944. 'required' => true,  
  945. 'arg_options' => array( 
  946. 'sanitize_callback' => array( $this, 'check_username' ),  
  947. ),  
  948. ),  
  949. 'name' => array( 
  950. 'description' => __( 'Display name for the user.' ),  
  951. 'type' => 'string',  
  952. 'context' => array( 'embed', 'view', 'edit' ),  
  953. 'arg_options' => array( 
  954. 'sanitize_callback' => 'sanitize_text_field',  
  955. ),  
  956. ),  
  957. 'first_name' => array( 
  958. 'description' => __( 'First name for the user.' ),  
  959. 'type' => 'string',  
  960. 'context' => array( 'edit' ),  
  961. 'arg_options' => array( 
  962. 'sanitize_callback' => 'sanitize_text_field',  
  963. ),  
  964. ),  
  965. 'last_name' => array( 
  966. 'description' => __( 'Last name for the user.' ),  
  967. 'type' => 'string',  
  968. 'context' => array( 'edit' ),  
  969. 'arg_options' => array( 
  970. 'sanitize_callback' => 'sanitize_text_field',  
  971. ),  
  972. ),  
  973. 'email' => array( 
  974. 'description' => __( 'The email address for the user.' ),  
  975. 'type' => 'string',  
  976. 'format' => 'email',  
  977. 'context' => array( 'edit' ),  
  978. 'required' => true,  
  979. ),  
  980. 'url' => array( 
  981. 'description' => __( 'URL of the user.' ),  
  982. 'type' => 'string',  
  983. 'format' => 'uri',  
  984. 'context' => array( 'embed', 'view', 'edit' ),  
  985. ),  
  986. 'description' => array( 
  987. 'description' => __( 'Description of the user.' ),  
  988. 'type' => 'string',  
  989. 'context' => array( 'embed', 'view', 'edit' ),  
  990. ),  
  991. 'link' => array( 
  992. 'description' => __( 'Author URL of the user.' ),  
  993. 'type' => 'string',  
  994. 'format' => 'uri',  
  995. 'context' => array( 'embed', 'view', 'edit' ),  
  996. 'readonly' => true,  
  997. ),  
  998. 'locale' => array( 
  999. 'description' => __( 'Locale for the user.' ),  
  1000. 'type' => 'string',  
  1001. 'enum' => array_merge( array( '', 'en_US' ), get_available_languages() ),  
  1002. 'context' => array( 'edit' ),  
  1003. ),  
  1004. 'nickname' => array( 
  1005. 'description' => __( 'The nickname for the user.' ),  
  1006. 'type' => 'string',  
  1007. 'context' => array( 'edit' ),  
  1008. 'arg_options' => array( 
  1009. 'sanitize_callback' => 'sanitize_text_field',  
  1010. ),  
  1011. ),  
  1012. 'slug' => array( 
  1013. 'description' => __( 'An alphanumeric identifier for the user.' ),  
  1014. 'type' => 'string',  
  1015. 'context' => array( 'embed', 'view', 'edit' ),  
  1016. 'arg_options' => array( 
  1017. 'sanitize_callback' => array( $this, 'sanitize_slug' ),  
  1018. ),  
  1019. ),  
  1020. 'registered_date' => array( 
  1021. 'description' => __( 'Registration date for the user.' ),  
  1022. 'type' => 'string',  
  1023. 'format' => 'date-time',  
  1024. 'context' => array( 'edit' ),  
  1025. 'readonly' => true,  
  1026. ),  
  1027. 'roles' => array( 
  1028. 'description' => __( 'Roles assigned to the user.' ),  
  1029. 'type' => 'array',  
  1030. 'items' => array( 
  1031. 'type' => 'string',  
  1032. ),  
  1033. 'context' => array( 'edit' ),  
  1034. ),  
  1035. 'password' => array( 
  1036. 'description' => __( 'Password for the user (never included).' ),  
  1037. 'type' => 'string',  
  1038. 'context' => array(), // Password is never displayed. 
  1039. 'required' => true,  
  1040. 'arg_options' => array( 
  1041. 'sanitize_callback' => array( $this, 'check_user_password' ),  
  1042. ),  
  1043. ),  
  1044. 'capabilities' => array( 
  1045. 'description' => __( 'All capabilities assigned to the user.' ),  
  1046. 'type' => 'object',  
  1047. 'context' => array( 'edit' ),  
  1048. 'readonly' => true,  
  1049. ),  
  1050. 'extra_capabilities' => array( 
  1051. 'description' => __( 'Any extra capabilities assigned to the user.' ),  
  1052. 'type' => 'object',  
  1053. 'context' => array( 'edit' ),  
  1054. 'readonly' => true,  
  1055. ),  
  1056. ),  
  1057. ); 
  1058.  
  1059. if ( get_option( 'show_avatars' ) ) { 
  1060. $avatar_properties = array(); 
  1061.  
  1062. $avatar_sizes = rest_get_avatar_sizes(); 
  1063.  
  1064. foreach ( $avatar_sizes as $size ) { 
  1065. $avatar_properties[ $size ] = array( 
  1066. /** translators: %d: avatar image size in pixels */ 
  1067. 'description' => sprintf( __( 'Avatar URL with image size of %d pixels.' ), $size ),  
  1068. 'type' => 'string',  
  1069. 'format' => 'uri',  
  1070. 'context' => array( 'embed', 'view', 'edit' ),  
  1071. ); 
  1072.  
  1073. $schema['properties']['avatar_urls'] = array( 
  1074. 'description' => __( 'Avatar URLs for the user.' ),  
  1075. 'type' => 'object',  
  1076. 'context' => array( 'embed', 'view', 'edit' ),  
  1077. 'readonly' => true,  
  1078. 'properties' => $avatar_properties,  
  1079. ); 
  1080.  
  1081. $schema['properties']['meta'] = $this->meta->get_field_schema(); 
  1082.  
  1083. return $this->add_additional_fields_schema( $schema ); 
  1084.  
  1085. /** 
  1086. * Retrieves the query params for collections. 
  1087. * @since 4.7.0 
  1088. * @access public 
  1089. * @return array Collection parameters. 
  1090. */ 
  1091. public function get_collection_params() { 
  1092. $query_params = parent::get_collection_params(); 
  1093.  
  1094. $query_params['context']['default'] = 'view'; 
  1095.  
  1096. $query_params['exclude'] = array( 
  1097. 'description' => __( 'Ensure result set excludes specific IDs.' ),  
  1098. 'type' => 'array',  
  1099. 'items' => array( 
  1100. 'type' => 'integer',  
  1101. ),  
  1102. 'default' => array(),  
  1103. ); 
  1104.  
  1105. $query_params['include'] = array( 
  1106. 'description' => __( 'Limit result set to specific IDs.' ),  
  1107. 'type' => 'array',  
  1108. 'items' => array( 
  1109. 'type' => 'integer',  
  1110. ),  
  1111. 'default' => array(),  
  1112. ); 
  1113.  
  1114. $query_params['offset'] = array( 
  1115. 'description' => __( 'Offset the result set by a specific number of items.' ),  
  1116. 'type' => 'integer',  
  1117. ); 
  1118.  
  1119. $query_params['order'] = array( 
  1120. 'default' => 'asc',  
  1121. 'description' => __( 'Order sort attribute ascending or descending.' ),  
  1122. 'enum' => array( 'asc', 'desc' ),  
  1123. 'type' => 'string',  
  1124. ); 
  1125.  
  1126. $query_params['orderby'] = array( 
  1127. 'default' => 'name',  
  1128. 'description' => __( 'Sort collection by object attribute.' ),  
  1129. 'enum' => array( 
  1130. 'id',  
  1131. 'include',  
  1132. 'name',  
  1133. 'registered_date',  
  1134. 'slug',  
  1135. 'email',  
  1136. 'url',  
  1137. ),  
  1138. 'type' => 'string',  
  1139. ); 
  1140.  
  1141. $query_params['slug'] = array( 
  1142. 'description' => __( 'Limit result set to users with a specific slug.' ),  
  1143. 'type' => 'array',  
  1144. 'items' => array( 
  1145. 'type' => 'string',  
  1146. ),  
  1147. ); 
  1148.  
  1149. $query_params['roles'] = array( 
  1150. 'description' => __( 'Limit result set to users matching at least one specific role provided. Accepts csv list or single role.' ),  
  1151. 'type' => 'array',  
  1152. 'items' => array( 
  1153. 'type' => 'string',  
  1154. ),  
  1155. ); 
  1156.  
  1157. /** 
  1158. * Filter collection parameters for the users controller. 
  1159. * This filter registers the collection parameter, but does not map the 
  1160. * collection parameter to an internal WP_User_Query parameter. Use the 
  1161. * `rest_user_query` filter to set WP_User_Query arguments. 
  1162. * @since 4.7.0 
  1163. * @param array $query_params JSON Schema-formatted collection parameters. 
  1164. */ 
  1165. return apply_filters( 'rest_user_collection_params', $query_params );